Microsoft releases patch against latest Explorer vulnerability, Sophos comments

October 06, 2003 Sophos Press Release

Microsoft has issued a security patch which reportedly fixes a critical vulnerability in versions of Internet Explorer. The vulnerability was recently exploited by the Troj/Qhosts-1 Trojan horse.

Microsoft categorised the vulnerability as "critical" and urged customers to "apply the patch immediately". According to Microsoft the following versions of Internet Explorer are affected: Internet Explorer 5.01, Internet Explorer 5.5, Internet Explorer 6.0, and Internet Explorer 6.0 for Windows Server 2003.

More information about the vulnerability and how to apply the patch can be found on Microsoft's website at www.microsoft.com/technet/security/bulletin/MS03-040.asp.

"Unlike worms like Blaster and Slammer, where patches were available before the virus existed, a Trojan horse which exploited this vulnerability was spotted before Microsoft had a fix," said Graham Cluley, senior technology consultant for Sophos. "With more vulnerabilities coming to light all the time, companies may have to rethink whether full internet access for all employees is such a good idea."

Microsoft has published step-by-step instructions for home users on how to help protect their computers with critical updates in future.

Sophos recommends that every IT manager responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx.